b'W                                                                           May 13,1999\n\n\nTO:              Distribution\n\nFROM:            W/Assistant Inspector General for Auditing\n\nSUBJECT:         Final Report on Exemptions for Year 2000 Testing, Johnson Space Center\n                 Audit Assignment A9900800\n                 Report Number IG-99-025\n\nThe subject final report is provided for your use. Please refer to the Results in Brief for the\noverall audit results. We have incorporated your comments into the final report, as appropriate,\nand included them in their entirety as an appendix to our report. Our evaluation of your\ncomments is included in the body of the report. The corrective actions taken or planned for\nrecommendations 1 through 4 were responsive. Please provide us with the documented\nprocedures that you used to implement the recommendations. All of the recommendations are\nundispositioned and will remain open pending receipt of documented procedures.\n\nIf you have questions concerning the report, please contact Mr. David L. Gandrud, Program\nDirector, Information Technology Program Audits, at (650) 604-2672, or Ms. Bessie J. Cox,\nAuditor-in-Charge, at (281) 483-5271. We appreciate the courtesies extended to the audit staff.\nThe final report distribution is in Appendix F.\n\n[Original signed by]\n\n\nRussell A. Rau\n\nEnclosure\n\x0c                                              2\ncc:\nB/Chief Financial Officer\nG/General Counsel\nM/Associate Administrator for Space Flight\nJM/Director, Management Assessment Division\n\x0c                                                                                 3\nbcc:\nAO/Audit Liaison Representative\nARC/204-11/D. Gandrud, Program Director, Information Technology Program Audits\nJSC/BD/Audit Liaison Representative\nJSC/W-JS/B. Cox, Auditor\nAIGA, IG, Reading (w/o Encl.) Chrons\n\x0c                                                        IG-99-025\n\n\n\n\nAUDIT\n                           EXEMPTIONS FOR YEAR 2000 TESTING,\nREPORT                          JOHNSON SPACE CENTER\n                                       MAY 13, 1999\n\n\n\n\n                               OFFICE OF INSPECTOR GENERAL\n\nNational Aeronautics and\nSpace Administration\n\x0cAdditional Copies\n\nTo obtain additional copies of this audit report, contact the Assistant Inspector General for\nAuditing at (202) 358-1232, or visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for\nAuditing. Ideas and requests can also be mailed to:\n\n       Assistant Inspector General for Auditing\n       NASA Headquarters\n       Code W, Room 8V69\n       300 E Street, SW\n       Washington, DC 20546-1000\n\n\nNASA Hotline\n\nTo report fraud, waste, or abuse, contact the NASA OIG Hotline at (800) 424-9183, (800) 535-\n8134 (TDD), or at www.hq.nasa.gov/office/oig/hq/hotline.html, or write to the NASA Inspector\nGeneral, P.O. Box 23089, L\xe2\x80\x99Enfant Plaza Station, Washington, DC 20026. The identity of each\nwriter and caller can be kept confidential, upon request, to the extent permitted by law.\n\n\n\nAcronyms\n\nCIO            Chief Information Officer\nFMD            Financial Management Division\nIT             Information Technology\nY2K            Year 2000\n\x0c                         NASA Office of Inspector General\n\nIG-99-025                                                                    May 13, 1999\n A9900800\n\n                        Exemptions for Year 2000 Testing,\n                            Johnson Space Center\n\nIntroduction\n\nThe NASA Office of Inspector General is conducting an audit of the Year 2000 (Y2K)\nimplementation phase. The overall objective of the audit is to determine whether NASA has\neffectively managed the implementation of Y2K compliant systems. See Appendix A for the\nspecific audit objectives. Although not specifically related to the audit objectives, we\nidentified a condition at the Johnson Space Center (Johnson) that may adversely affect the\nAgency\xe2\x80\x99s Y2K efforts. See Appendix B for audit reports on Y2K matters issued by the\nNASA Office of Inspector General.\n\nResults in Brief\n\nJohnson\xe2\x80\x99s Financial Management Division (FMD) had not requested an exemption from the\nNASA Y2K Agency Testing and Certification Guidelines and Requirements (NASA guidance)\nfor the Center Financial System. In the absence of an exemption to the July 1998 guidance,\nthe Johnson Chief Information Officer (CIO) has no basis on which to assess the adequacy of\ntesting the FMD performed on the Center Financial System prior to issuance of the guidance.\nAccordingly, the Agency lacks assurance that the Center Financial System will meet the\nminimum requirements for Y2K compliance.\n\nBackground\n\nIn August 1996, NASA initiated the Y2K program to address the challenges imposed on\nAgency software, hardware, and firmware\xe2\x88\x97 systems by the new millennium. The Agency\nprogram is centrally managed by the NASA CIO, with decentralized execution of program\nrequirements at each of the NASA Centers, Headquarters, and the Jet Propulsion Laboratory.\n\nIn January 1997, the Office of Management and Budget required all Federal agencies to adopt\nthe General Accounting Office, five-phase model for implementing the Y2K program. Those\nphases (awareness, assessment, renovation, validation, and implementation) are defined in\nAppendix C.\nOn July 2, 1998, the NASA CIO issued the NASA guidance. The objectives of the guidance\nwere to (1) provide general guidance and requirements for Y2K certification and testing and\n\xe2\x88\x97\n Firmware systems are the computer programs that are permanently stored in a hardware\ndevice.\n\x0c(2) establish required minimal Y2K test criteria and certification processes for NASA\ninventory items.\n\nJohnson planned to use the NASA guidance to ensure that all Johnson information technology\n(IT) systems would be certified Y2K compliant by March 31, 1999. The plan required\nJohnson organizations to perform tests commensurate with the risk level and the probability of\nproblem occurrence for their respective IT systems.\n\nThe FMD is responsible for providing internal controls to safeguard assets, ensuring that bills\nare processed for goods and services, promoting the accuracy and reliability of financial data,\nand encouraging adherence to approved NASA financial management policies. FMD provides\nthe following functions:\n\n   \xe2\x80\xa2   Funding and internal controls\n   \xe2\x80\xa2   Accounts payable\n   \xe2\x80\xa2   Travel funding and claims\n   \xe2\x80\xa2   Labor and payroll\n   \xe2\x80\xa2   Accounts receivable\n   \xe2\x80\xa2   Resources control and reimbursables\n   \xe2\x80\xa2   Collections\n   \xe2\x80\xa2   Cost accounting\n   \xe2\x80\xa2   Property and accounting control\n\nThe FMD is responsible for assessing, renovating, validating, and implementing the Center\nFinancial System to ensure Y2K compliance. The Center Financial System is a Johnson\nmission-critical system that includes 21 separate modules. See Appendix D for a list of the\n21 modules. The modules provide the processing support needed by FMD to perform the\nabove systems and functions.\n\nRequest for Exemption From NASA Guidance\n\nFinding. The FMD completed its tests of the Center Financial System before NASA issued\nthe July 1998 guidance, but had not submitted a request for exemption from the guidance.\nThis condition occurred because the Johnson CIO had not established procedures to\nimplement the exemption process. Without the exemption, the Johnson CIO lacks reasonable\nassurance that the Center Financial System will meet the minimum testing requirements for\nY2K compliance.\n\nNASA Guidance. The NASA guidance describes the process for testing and certifying\ninventory items for Y2K compliance. Specifically, it requires organizations to prepare test\nplans and procedures regarding the levels of testing, test criteria, and test procedures. The\nguidance requires organizations to document the test results in a test report or completed\nY2K checklist for each inventory item tested.\n\n\n\n\n                                               2\n\x0cThe NASA guidance makes NASA Centers responsible for identifying items to be assessed,\nrenovated, validated, and certified Y2K compliant. A NASA inventory item may be an IT\nsystem, non-IT system, application, hardware component, software component, firmware, or\na commercial-off-the-shelf product. An inventory item may be a combination of custom\nsoftware, hardware, and commercial-off-the-shelf products, or any component item.\n\nThe NASA guidance states that an exemption from required testing may be granted for\ninventory items for which testing had been completed before July 2, 1998, if the items meet\nthe following criteria:\n\n     \xe2\x80\xa2   The test approach for the inventory item met the minimal test requirements and\n         criteria established in the guidance, commensurate with the level of risk of the\n         inventory item.\n     \xe2\x80\xa2   Processes followed for the inventory item testing met the intent of the guidance\n         through comparable test and certification processes.\n\nThe Center CIO Representative and Center Y2K Project Manager must assess an\norganization\xe2\x80\x99s request for exemption. If approved, the Center CIO must then report the\napproval action to the NASA Y2K Program Manager.\n\nJohnson Y2K Actions for the Center Financial System. During the initial assessment and\nsubsequent reassessment of IT systems, Johnson identified the Center Financial System as a\nmission-critical inventory item. FMD personnel began assessing the system in January 1997;\ncompleted renovation and validation testing in April 1998 and May 1998, respectively; and\nimplemented the system in June 1998.\n\nThe FMD prepared a Y2K test plan in January 1997, before NASA issued its testing\nguidance. Accordingly, the plan did not reference the required test levels, test criteria, and\ntest procedures. As a \xe2\x80\x9creasonableness check\xe2\x80\x9d on the adequacy of Y2K tests previously\nperformed, FMD personnel completed a Y2K checklist taken from the then draft NASA\nguidance, for each of the 21 modules that made up the Center Financial System. However,\nneither the contractor personnel who performed the testing nor a Johnson manager could\nsupport the results of the checklist reviews. Without documentation supporting the answers\non the checklists, we could not determine the adequacy of Y2K testing performed or whether\nit met NASA requirements. Similarly, NASA management has no assurance that sufficient\ntesting was performed.\n\nSince Johnson completed testing of the Center Financial System before NASA issued its\nguidance, FMD personnel should have requested an exemption from the guidance if prior\ntesting satisfied the intent of the guidance. FMD personnel made no such request because\nJohnson had not established procedures for requesting exemptions. Without such procedures,\nFMD personnel were unaware of the need to request an exemption or of possible\nshortcomings in the testing performed.\n\n\n\n\n                                               3\n\x0cRecommendations, Management\xe2\x80\x99s Comments, and Evaluation of Response\n\nThe Director, Johnson Space Center should:\n\n       1. Establish procedures for processing exemptions of IT inventory items for\n          which testing was completed before July 2, 1998.\n\n       2. Require Johnson organizations to submit exemption requests for all systems\n          for which testing was completed before July 2, 1998.\n\n       3. Approve only those exemption requests that satisfy the minimum testing and\n          documentation requirements set forth in the NASA guidance.\n\n       4. Require organizations to perform validation testing required by the NASA\n          Y2K Agency Testing and Certification Guidelines and Requirements for any\n          inventory item that (1) had been tested before the guidance was issued, and\n          (2) did not meet minimum testing requirements set forth in the NASA\n          guidance.\n\nManagement\xe2\x80\x99s Comments. Concur. Management stated that the recommendations either\nhad been implemented or will be implemented. The complete text of management\xe2\x80\x99s response\nis in Appendix E.\n\nManagement took exception to the report statement \xe2\x80\x9cIn the absence of an exemption to the\nJuly 1998 guidance, the Johnson Chief Information Officer (CIO) has no basis on which to\nassess the adequacy of testing the FMD performed on the Center Financial System prior to\nissuance of the guidance.\xe2\x80\x9d\n\nManagement cited the following reasons for believing that remediation of the Center Financial\nSystem was successful.\n\n   \xe2\x80\xa2    Two formal Y2K reviews, chaired by the Johnson CIO, had covered the\n        Center Financial System remediation effort and the results of that effort.\n   \xe2\x80\xa2    The Johnson Program Management Council had conducted two Y2K\n        reviews.\n   \xe2\x80\xa2    Officials involved in the Y2K issue had held numerous discussions regarding\n        remediation of the Center Financial System.\n   \xe2\x80\xa2    The Y2K working group held frequent discussions regarding remediation of\n        the Center Financial System.\n   \xe2\x80\xa2    Johnson had successfully used the remediated software for the last 9 months.\n\n\n\n\n                                              4\n\x0cEvaluation of Response. Management\xe2\x80\x99s comments are fully responsive to the\nrecommendations. The actions planned and taken should ensure that all Johnson\nsystems that completed testing before NASA issued its guidance in July 1998 will\nmeet minimum Y2K testing requirements.\n\nWe maintain that until Johnson establishes and implements an exemption process, the Johnson\nCIO has no basis on which to assess the adequacy of pre-July 1998 testing that FMD\npersonnel had performed on the Center Financial System. Although Johnson officials had\nformally reviewed and discussed remediation actions for the Center Financial System,\navailable documentation showed no evidence that FMD had met the minimum testing\nrequirements stated in the NASA guidance.\n\n\n\n\n                                             5\n\x0c                   Appendix A. Objectives, Scope, and Methodology\n\nObjectives\n\nOur overall objective in this ongoing audit is to determine whether NASA has effectively\nmanaged the implementation of Y2K compliant systems. Specifically, we are evaluating the\nadequacy of:\n\n         \xe2\x80\xa2    acceptance testing;\n\n         \xe2\x80\xa2    contingency and disaster recovery planning;\n\n         \xe2\x80\xa2    the validation process for information received from data exchanges; and\n\n         \xe2\x80\xa2    change/version control over renovated systems migrating into the production\n              environment.\n\nAs part of the overall objective, we assessed the adequacy of the testing performed on\nJohnson\xe2\x80\x99s Center Financial System to determine whether the system had been fully tested and\nwas Y2K compliant. Implementation of Y2K compliant systems and their components\nrequires extensive testing to ensure that all converted or replaced system components perform\nadequately in an operational environment.\n\nScope and Methodology\n\nDuring the audit, we:\n\n     \xe2\x80\xa2       Reviewed available documentation, dated January 1997 through March 1999, at\n             Johnson, that supported validation testing for 4 mission-critical systems and 31 non-\n             mission-critical systems. (Johnson has a total of about 400 mission-critical and non-\n             mission-critical systems.) The Center Financial System was the only system we\n             reviewed at Johnson for which testing had been completed before the Agency issued\n             the July 2, 1998, guidance.\n\n     \xe2\x80\xa2       Interviewed Y2K representatives at NASA Headquarters and Johnson to determine\n             the processes and procedures used for ensuring Y2K compliance.\n\nManagement Controls Reviewed\n\nWe reviewed initial Y2K guidance and the related processes and procedures Johnson used to\ntest and implement IT systems. In addition, we tested those controls to verify that the\ncontrols were working as described. Based on work done on this continuing audit, we found\none deficiency, as noted in the finding.\n\n\n\n                                                  6\n\x0cAppendix A\n\nAudit Field Work\n\nWe performed the audit field work for this report from November 1998 through February\n1999. We conducted the audit in accordance with generally accepted government auditing\nstandards.\n\n\n\n\n                                            7\n\x0c                    Appendix B. Summary of Prior Coverage\n\n\nThe NASA Office of Inspector General has issued two reports relating to Y2K compliance.\nThese reports are summarized below.\n\n\xe2\x80\x9cYear 2000 Date Conversion \xe2\x80\x93 Assessment Phase,\xe2\x80\x9d IG-98-040, September 30, 1998.\nSome NASA Centers did not have documented support for Y2K cost estimates reported to\nOMB and did not prepare estimates using a consistent methodology. Also, documentation did\nnot always exist to support the manner in which Center assessments and decisions for Y2K\ncompliance were conducted. The audit showed that NASA Centers also needed to improve\nthe sharing of information on the status of Y2K compliance associated with commercial\noff-the-shelf products. We made three recommendations to assist NASA in addressing the\nY2K date conversion problem. Management concurred with the two recommendations\nconcerning documentation for Y2K assessments and the sharing of information on commercial\noff-the-shelf products. Management did not concur with the recommendation concerning\nguidance for Y2K cost estimates, stating that adequate guidance on cost estimation had been\nprovided to NASA Centers. We reaffirmed our position on this recommendation and\nrequested additional comments in the final report.\n\n\n\xe2\x80\x9cYear 2000 Program Oversight of NASA Production Contractors,\xe2\x80\x9d IG-99-004,\nDecember 17, 1998. NASA lacks reasonable assurance that its production contractors will\nprovide Year 2000-compliant data to support the Agency\xe2\x80\x99s key financial and program\nmanagement activities. This condition occurred because NASA had not asked the Defense\nContract Audit Agency and the Defense Contract Management Command to conduct Y2K\nreviews at NASA\xe2\x80\x99s major contractor locations. As a result, NASA risks using noncompliant\ndata that may adversely affect the Agency\xe2\x80\x99s control, budgeting, program management, and\ncost accounting activities. We made two recommendations to NASA relating to the Y2K\nstatus of its major contractors. Management concurred with the intent of the\nrecommendations and issued a letter to the Defense Contract Audit Agency requesting data\non Y2K coverage at the Agency\xe2\x80\x99s major contractors. In addition, NASA issued a letter to its\nCenter Procurement Officers instructing them to monitor Y2K problems identified by the\nDefense Contract Audit Agency.\n\n\n\n\n                                             8\n\x0c             Appendix C. Definitions of Five-Phase Model for Y2K\n\nAwareness                 \xe2\x80\xa2   Define the Y2K problem and gain executive-level support\n                              and sponsorship.\n                          \xe2\x80\xa2   Establish a Y2K program team and develop an\n                              overall strategy.\n                          \xe2\x80\xa2   Ensure that everyone in the organization is fully\n                              aware of the activity.\nAssessment                \xe2\x80\xa2   Assess the Y2K impact on the Enterprise.\n                          \xe2\x80\xa2   Identify core business areas and processes, inventory and\n                              analyze systems supporting the core business areas, and\n                              prioritize their conversion or replacement.\n                          \xe2\x80\xa2   Develop contingency plans to handle data exchange issues,\n                              lack of data, and bad data.\n                          \xe2\x80\xa2   Identify and secure the necessary resources.\nRenovation                \xe2\x80\xa2   Convert, replace, or eliminate selected platforms,\n                              applications, databases, and utilities.\n                          \xe2\x80\xa2   Modify interfaces.\nValidation                \xe2\x80\xa2   Test, verify, and validate converted or replaced platforms,\n                              applications, databases, and utilities.\n                          \xe2\x80\xa2   Test the performance, functionality, and integration of\n                              converted or replaced platforms, applications, databases,\n                              utilities, and interfaces in an operational environment.\nImplementation            \xe2\x80\xa2   Implement converted or replaced platforms, applications,\n                              databases, utilities, and interfaces.\n                          \xe2\x80\xa2   Implement data exchange contingency plans, if\n                              necessary.\n\n\n\n\n                                         9\n\x0c        Appendix D. Modules Included in the Center Financial System\n\nBasic Accounting System, Modules 1 through 4\xe2\x80\x94System used to maintain detail and summary\nhistory files for the fiscal year.\n\nCash Management System\xe2\x80\x94Automated system used to approve and process vendor invoices\nfor payment.\n\nCentral Budget System\xe2\x80\x94System that allows budget planning and provides budget status.\n\nCivil Service Labor Distribution System\xe2\x80\x94System that processes all Johnson employee labor\ndistribution data on a biweekly frequency in a batch mode and that provides labor cost to the\nInteractive Basic Accounting System database by Primary Work Code.\n\nContractor Cost Accrual System\xe2\x80\x94Financially structured database that permits both budget\nanalysts and cost accountants to report cost and workforce information on selected contracts\nand purchase orders.\n\nFinancial and Contractual Status\xe2\x80\x94System that reports contract performance and other\ninformation regarding the procurement and financial impacts for business agreements as a\nresult of Johnson operations.\n\nFinancial Management Division Forms\xe2\x80\x94System used for printing reimbursable billings.\n\nInteractive Basic Accounting System, Modules 1 through 5\xe2\x80\x94Primary Johnson online interactive\nsystem used by FMD to enter and retrieve all types of funding.\n\nInteractive Consolidated Financial Accounting System\xe2\x80\x94Single, integrated, and consolidated\nsource for financial analysis and reporting at all stages of the Johnson budget execution cycle,\nfrom program authorization to fund disbursement.\n\nJob Order Cost System\xe2\x80\x94Application developed for cost and workforce accumulation to enable\nmonthly recording and tracking of contract cost and workforce performance.\n\nNASA Personnel/Payroll System\xe2\x80\x94Local code for selected reports only, including the Employee\nLeave and Earnings Statement.\n\nResource Information Management System\xe2\x80\x94Database driven reporting system used primarily to\nmaintain property records and to report specific data in funding allocations and payroll/labor\ndata.\n\n\n\n\n                                               10\n\x0cAppendix D\n\nSubauthorization System\xe2\x80\x94System that provides NASA Headquarters and Johnson management\nwith information on subauthorizations with other NASA centers.\n\nUNYSIS Interactive Consolidated Financial Accounting System\xe2\x80\x94Simple download program\nbetween the Unisys systems and the Interactive Consolidated Financial Accounting System\ndatabase.\n\n\n\n\n                                             11\n\x0cAppendix E. Management\xe2\x80\x99s Response\n\n\n\n\n               12\n\x0cAppendix E\n\n\n\n\n             13\n\x0c                         Appendix F. Report Distribution\n\nNational Aeronautics and Space Administration (NASA) Headquarters\n\nCode A/Administrator\nCode AI/Associate Deputy Administrator\nCode AO/Chief Information Officer\nCode B/Chief Financial Officer\nCode B/Comptroller\nCode G/General Counsel\nCode H/Acting Associate Administrator for Procurement\nCode J/Associate Administrator for Management Systems and Facilities\nCode JM/Director, Management Assessment Division\nCode L/Associate Administrator for Legislative Affairs\nCode M/Associate Administrator for Space Flight\nCode R/Associate Administrator for Aero-Space Technology\nCode R/Chief Information Officer Representative\nCode S/Associate Administrator for Space Science\nCode Y/Associate Administrator for Earth Science\nCode Z/Associate Administrator for Policy and Plans\n\nNASA Centers\n\nDirector, Ames Research Center\nDirector, John H. Glenn Research Center at Lewis Field\nDirector, Goddard Space Flight Center\nDirector, John F. Kennedy Space Center\n Chief Counsel, Kennedy Space Center\nDirector, Langley Research Center\nDirector, Lyndon B. Johnson Space Center\n Chief Information Officer, Johnson Space Center\nDirector, George C. Marshall Space Flight Center\nDirector, John J. Stennis Space Center\n\nNASA Offices of Inspector General\n\nAmes Research Center\nDryden Flight Research Center\nJohn H. Glenn Research Center at Lewis Field\nGoddard Space Flight Center\nJet Propulsion Laboratory\nLyndon B. Johnson Space Center\nJohn F. Kennedy Space Center\nLangley Research Center\n\n\n\n                                            14\n\x0cAppendix F cont\xe2\x80\x99d\n\nNASA Offices of Inspector General (Cont\xe2\x80\x99d)\n\nGeorge C. Marshall Space Flight Center\nJohn C. Stennis Space Center\n\nNon-NASA Federal Organizations and Individuals\n\nAssistant to the President for Science and Technology Policy\nAssistant to the President and Chair, President\xe2\x80\x99s Council on Y2K Conversion\nDeputy Associate Director, Energy and Science Division, Office of Management and Budget\nBudget Examiner, Energy Science Division, Office of Management and Budget\nAssociate Director, National Security and International Affairs Division,\n General Accounting Office\nProfessional Assistant, Senate Subcommittee on Science, Technology, and Space\n\nChairman and Ranking Minority Member -- Congressional Committees and\nSubcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA, HUD and Independent Agencies\nSenate Committee on Commerce, Science, and Transportation\nSenate Subcommittee on Science, Technology, and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA, HUD and Independent Agencies\nHouse Committee on Government Reform and Oversight\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics\n\nCongressional Member\n\nHonorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                            15\n\x0cMajor Contributors to this Report\n\nDavid L. Gandrud, Program Director, Information Technology Program Audits\nEsther A. Judd, Program Manager\nBessie J. Cox, Auditor-in-Charge\nBarbara J. Smith, Program Assistant\nNancy Cipolla, Report Process Manager\n\x0c'